Smartphones, tablets and hybrid devices are taking hold in the workspace, and their increased use, speed and storage capacity are creating new security problems. CISOs are now sold on the notion that the data on these devices is worth considerably more than the device itself, but merely encrypting the device is insufficient.
When mobile devices are designed for seamless data flow between the corporate LAN and mobile endpoint, organizations need a layered security approach. Security strategy needs to include physical protection, encryption and theft recovery/alert reporting.
This realization alone shifts the goalposts significantly, because companies need to move beyond the measures they have in place today in order to protect information, wherever it may go.
Where to Start
In many cases, mobile device security begins well before the mobile device. Full-disk encryption (FDE) protects the data at the user’s desk – but it must be coupled with a data loss protection/prevention (DLP) application to stop information from simply being transferred to a portable storage disk or mobile device. The DLP application can prohibit information from being copied to external devices or create additional layers of encryption where data transfer is essential. These applications can also help ensure secure data is not emailed to a smartphone.
Controlling where data is stored, how it can be accessed, and how easily it can be moved all contribute to overall security. But with so many variables, there is no one-size-fits-all solution.
For some, information transfer is too essential to business operation, while for others a no-data transfer policy will work, keeping information completely off mobile devices. This is where organizations utilize cloud technology. Whatever the approach, protection and encryption are the first crucial steps.
The majority of mobile platforms carry VPN clients, which enables secure access to information from on company servers. However, without measures in place to ensure that the encrypted data cannot be copied onto the mobile device, the encryption delivered by the VPN is negated.
Additional Protection
A more secure way to protect data on a mobile device, while still allowing employees to use their own hardware, is through multi-tenancy. This means allowing users to have personal and company information on the same device, but firmly segmented from one another. The business segment is linked to the corporate LAN via the VPN, but does not have any links to other areas of the device.
An alternative is virtualization solutions, which allow a user to run a virtual desktop on their mobile device. This gives them full functionality for their 9–5 work day, while keeping corporate data securely segmented. CISOs therefore need not worry about encryption on the device, because there's nothing on the device at all.
If an employee is supplying their own device, a virtual solution means the organization does not have to own the device, nor (in theory) the network, in order to protect it. Physical assets stay in the enterprise, with the intangible logical component on the personal mobile device.
An extreme example of this virtualized solution is the new breed of devices running Google’s Chrome OS. A mobile device running Chrome appears to the end-user as a fully functional mobile computer but it is, in fact, nothing more than a dumb terminal, with no local storage whatsoever.
Mobile Device Management: Stage Three
The last, but equally important piece of the puzzle is the emerging area known as ‘mobile device management’ (MDM). These solutions monitor remote devices – including laptops, smartphones and tablets – assess conditions that may indicate a breach, and send alerts accordingly.
For example, if policy dictates that a mobile tablet is not supposed to leave a particular site and a geotechnology alerting system indicates that it is traveling to an employee’s home for the weekend, then that’s a strong indicator of a potential breach and resultant liability scenario.
A good MDM solution also has more proactive security benefits, such as notifying the security team about potentially dangerous applications that have been installed on an endpoint. It’s important that the IT team be able to lock, wipe or reset a device that’s out of control.
The mobile security environment continues to evolve, but the good news is that the marketplace is beginning to provide solid solutions to help address endpoint security. And as we've seen, a layered method continues to be the best approach.
Dave Everitt is general manager, EMEA, for Absolute Software, where he is responsible for leadership, strategic development and business partner relations pertaining to the company’s business in the region. He brings over 25 years of experience in developing business in both hardware and software relating to the high-technology international computing and communications market. Before joining Absolute Software his tenure at AMD – lasting more than 20 years – spanned many areas, including hardware design, software engineering and business and market development in embedded and traditional computing segments. Most recently he led the business development group for mobile, desktop, server, graphics and digital home. Everitt holds a degree in electronics engineering, a post-graduate diploma in management studies, and is a Chartered Engineer and a member of the IEE and FEANI.